Docker Hub Breach: It's Not the Numbers; It's the Reach

Docker, which offers an open source container platform, is notifying users that an intruder briefly had access to sensitive data from 190,000 Docker Hub accounts, which it says is less than 5 percent of Hub users. But the mishap has caused a collective gasp because the breach potentially magnifies risks for enterprises.

Docker's Hub is a place where developers can store app "containers," which can be quickly deployed or moved. Container images can be set as public or private, and the Hub is the place to go to grab, for example, an official image of MongoDB or nginx.

Docker says in an advisory that one of its Hub databases, which included usernames and hashed passwords, was exposed.

Although the database didn't contain financial data, it did contain tokens from other much-used developer resources, including GitHub and Bitbucket. When developers are building an image - or autobuilding one - coding resources are often pulled from other places. The tokens have been revoked, Docker says.

And that's what makes the Docker Hub breach potentially so much more worrying: If tokens have been compromised, it gives attackers many more places to slip in malicious code.

As one commenter on Hacker News put it, Docker Hub has been an attractive target for some time: "With how much of the internet blindly pulls images from it [Docker Hub], the potential gain from hijacking just one high-profile one would be monumental."

Multiple Risks

Docker has notified affected developers by email, and some may have already noticed revoked credentials. If the hash of a password was exposed, Docker has sent password reset links.

Because tokens for other repositories have been disabled, Docker says those who have autobuilds drawing on GitHub or Bitbucker code will need to re-link the repositories.

Docker says that none of the Official Images have been hacked. "We have additional security measures in place for our Official Images including GPG signatures on git commits as well as Notary signing to ensure the integrity of each image," it says.

The Docker Hub situation illustrates how what appears to be a smallish breach by the numbers could be much worse due to how developers work by using different services.

Or as Dino A. Dai Zovi, a staff security engineer with Square, put it: "2019 being the year of software supply-chain integrity keeps getting truer."

On the Docker breach: Even if your company doesn't rely on Docker Hub for production, if a developer in your org enabled auto builds and linked to GitHub via oauth for a personal project, when that oauth token is compromised, _all_ repos on GH they had access to are vulnerable.

As an example, the mixing of professional and personal coding by developers could magnify the Docker Hub risk, writes Kenn White, a security expert and co-director of the Open Crypto Audit Project, on Twitter.

"On the Docker breach: Even if your company doesn't rely on Docker Hub for production, if a developer in your org enabled autobuilds and linked to GitHub via oauth for a personal project, when that oauth token is compromised, _all_ repos on GH they had access to are vulnerable," White writes.

White also notes that that it's usually possible to bypass two-step verification with authorization tokens.

What to Do Now

Those at risk can take several steps to help ensure that containers or repositories haven't been altered.

"If you publish containers to Docker Hub and use autobuilds, please check if your GitHub/BitBucket API tokens have been used to push any changes to your GitHub/BitBucket/Docker Hub repos," Zovi writes.

It's also good to check if new collaborators have been added to a Docker Hub account, Akula writes. Other items to watch out for are if new webhooks or GitHub apps have been added, modified or removed.

About the Author

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.eu, you agree to our use of cookies.